TITLE OF THE INVENTION 
Database access method and system 
capable of concealing the contents of query 



5 BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

The present invention relates to a database access 
method and system and, more particularly, a database 
access method and a data retrieval system, especially, 
10 a data relay server and a database server system capable 
of concealing the contents of a query for data retrieval 
requested from the user or an application program from 
the manager of a database. 

(2) Description of the Related Art 

15 With the advance and spread of the network 

technology such as the Internet, an increasing number 
of computers are connected to networks . In 
association with this, information providing service 
of providing various information to the users via 

20 networks is being widely used. Good examples of the 
information providing service are a patent information 
retrieval system and a gene arrangement information 
retrieval system. 

The users of such information providing service 

25 access computers providing the information service via 
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networks from various computers or terminals. In the 
following description, the computer or terminal 
operated by the user will be called a client computer, 
and the computer for providing information service will 
5 be called a server computer or DB server. Under the 
present circumstances, as client computers, a 
workstation, a personal computer, a small portable 
terminal, and a portable telephone are often used. As 
server computers, a mainframe, a UNIX server, and a 

10 PC server are often used. 

To access the information providing service, the 
user uses dedicated software or a WEB browser on the 
client computer. On the other hand, data management 
and retrieval on the server computer for providing 

15 information service are usually performed by a database 
management system ( h e r e inbe low , called a DBMS) . 

In an access to information providing service, 
for example, in the case of retrieving gene arrangement 
information or patent information, it is desirable for 

20 the user that who accessed the information under which 
conditions can be concealed, that is, confidentiality 
of the name of the user who accessed the information 
and the contents of retrieval is ensured for the 
following reason. In the retrieval of gene 

25 arrangement retrieval, patent keyword retrieval, and 
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the like, a condition itself designated by a query is 
a confidential item, so that retrieval of information 
while ensuring the confidentiality is important to 
promote product development and research and 
5 development. 

By a conventional security technique, for example, 
(1) protection on communication information against 
phone tapping on a network and (2) user authentication 
on the server side to prevent an unauthorized access 

10 are realized. 

Known security real i z ing methods include amethod 
of using an encryption protocol such as SSL (Secure 
Socket Layer) between a client computer and a server 
computer which perform communication with each other 

15 and, as shown in FIG. 13, a method of transferring an 
encrypted inquiry 202 from a client computer 10 via 
a network 203 to a server computer 205 for providing 
information service, in the server computer 205, 
transferring the encrypted inquiry 202 received by a 

20 network interface 206 to a query decryption unit 210, 
decrypting the encrypted inquiry 202 by the query 
decryption unit 210, and searching a database 211 in 
accordance with the decrypted inquiry condition by a 
DBMS 208. A retrieval result 207 is encrypted as 

25 necessary, and the encrypted result is sent to the 
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client computer 10 via the network interface 206 and 
. the network 2 03. 

In the conventional method, however, although the 
inquiry 202 is transferred in the encrypted state on 
5 the network, since the searching process is performed 
in a state where the inquiry is decrypted in the server 
computer 205, the contents of the retrieval the user 
wishes to make them confidential is not concealed from 
the server computer. Consequently, there is a danger 
10 that the contents of the retrieval as confidential 
information are leaked to the ill-intentioned manager 
on the server side. 

In the conventional database access via a network , 
information is secured on condition that the server 
15 is reliable. In the case where a retrieval condition 
itself designated by a query is the target of 
confidentiality, it is difficult to make retrieval 
while concealing the contents of the retrieval from 
the others . 

20 "Data Retrieval System" disclosed in Japanese 

Unexamined Patent Application No. 11-259512 
(Literature 1) is a system for preventing leakage of 
confidentiality of the location of the user, retrieval 
conditions , and the like from history data of a database 

25 trace of a retrieval server by (1) eliminating 
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conditions corresponding to p r e - r egi s te r ed 

confidential items from conditions of a query sent from 
theuser, (2) replacing a condition value with a similar 
term or a broader term by using an inclusive relation 
5 (conceptual hierarchy) of the condition value, (3) 
dividing the input retrieval condition, and (4) 
allowing a proxy server installed between a data 
retrieving apparatus and a data retrieval server to 
access the data retrieval server. 

10 According to the conventional technique 

disclosed in Literature 1, a part of confidential 
information of the user can be concealed from the server 
but there is a problem such that the retrieval 
conditions are acquired by the server. For example, 

15 in fields where a value of a retrieval condition such 
as name or gene arrangement is difficult to be replaced 
with another term by using the inclusive relation, there 
is a problem such that the retrieval condition cannot 
be sufficiently concealed. 

20 According to "resident basic register file 

system" disclosed in Japanese Unexamined Patent 
Application No . 64-14665 ( Literature 2 ), by encrypting 
resident basic register data at the time of data input 
to store the encrypted data into a data file, the 

25 resident basic register file is prevented from being 
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accessed to obtain personal information by an 
ill-intentioned person. In the conventional 

technique disclosed in Literature 2, when data 
registered in the resident basic register file is 
5 matched with user inquiry data, the encrypted data 
stored in the data file is decrypted, and the inquiry 
from the user is not concealed on the server side. If 
themanager of the server has an ill intention, a problem 
such that the contents of the query are known by the 

10 manager arises. 

According to "Method and medium for recording 
personal information" disclosed in Japanese 
Unexamined Patent Application No. 11-272681 
(Literature 3) , in consideration of the problem of 

15 Literature 2 that retrieving efficiency in association 
with data decryption is low and there is a condition 
which cannot be retrieved according to an encrypting 
method, a personal information recording method in 
which it is unnecessary to encrypt whole file data is 

20 proposed. According to the method, (1) personal 
information is divided into a basic information file 
for storing a basic data item and an attribute 
information file for storing the other data, (2) a 
special code for associating the two files with each 

25 other is used as a personal code for specifying the 
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personal information, and (3) as necessary, the 
personal code is encrypted. The conventional 

technique, however, also has a danger of leakage of 
the condition on the server side since the retrieval 
5 condition designated by the user is not encrypted like 
the technique of Literature 2 . 

According to "Method and apparatus for secure 
storage of data" disclosed in U. S . Patent No . 5 , 9 63,642 
(Literature 4) , data itself to be stored in a database 

10 is converted in a bit map, a query of the user is also 
converted in a similar bit map, and a retrieval is made 
by using the bit maps without decrypting the query. 
In the conventional technique disclosed in Literature 
4, however, all of data to be stored in a server has 

15 to be preliminarily encoded in the form of a bit map, 
so that it is difficult to apply themethodto an existing 
database . 



SUMMARY OF THE INVENTION 
20 As described above , ac co r ding to the convent i ona 1 

techniques, in the case of using information providing 
service function which runs on a server computer from 
a client computer via a network, it is difficult to 
receive information service while concealing a 
25 confidential retrieval condition designated by the 



user from the client computer. 

A first object of the invention is to provide a 
database access method and system by which the user 
can use information providing service while concealing 
5 a confidential retrieval condition. 

A second object of the invention is to provide 
a protocol by which information service can be provided 
while concealing an information retrieving condition. 

A third object of the invention is to provide a 
10 data relay server and a database retrieval server 
capable of realizing information providing service 
while concealing a retrieval condition the user wishes 
to protect. 

In order to achieve the objects, according to the 
15 invention, an encrypted query obtained by encrypting 
at least one data item to be concealed included in a 
retrieval condition is transmitted to a server computer 
In the server computer, without decrypting the 
encrypted retrieval condition, data retrieval is 
20 performed by encrypted data matching while encrypting 
data to be retrieved is in a manner similar to the data 
item to be concealed. 

According to another aspect of the invention, 
query conversion such as a query issued by the user 
25 is linked with another query or one query is divided 
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into a plurality of queries is performed. By 
transmitting the converted query to a database server, 
it is able to change the corresponding relation between 
the contents of a query remained as history data in 
5 the database server and the contents of the query issued 
from the user. 

The query conversion is performed by a data relay 
server which is connected between client computers and 
the database server. For example, in the case where 

10 one original query is divided into a first query and 
a second query, the first query is sent from a first 
data relay server which has received the original query 
from the client computer to the database server, and 
the second query is transmitted to the database server 

15 via a second data relay server which operates in 
cooperation with the first data relay server. In this 
case, a retrieval result for the second query is 
transferred to the first data relay server via the 
second data relay server. By performing, in addition 

20 to the encryption of the retrieval condition, 
conversion of the query contents and distribution of 
the requesters of the queries, analysis of user's 
confidential information by the database server 
manager' can be made difficult. 

25 
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BRIEF DESCRIPTION OF THE DRAWINGS 
FIG. 1 is a diagram showing an example of a general 
configuration of a database access system of the 
invention . 

5 FIG. 2 i s a block diagram showing the configuration 

of a data relay server 100-1 illustrated in FIG. 1. 

FIG. 3 is a diagram showing an embodiment of a 
query message transmitted from a client computer 10 
(10A, 10B) to the data relay server 100-1 illustrated 
10 in FIG. 1. 

FIG. 4 is a diagram showing an embodiment of a 
query message transmitted from the data relay server 
100-1 to a DB server 119 illustrated in FIG. 1. 

FIG. 5 is a diagram showing the configuration of 
15 a retrieval management table of the data relay server 
100-1 . 

FIG. 6 is a flowchart showing the functions of 
a query converter 107 of the data relay server 100-1. 

FIG. 7A is a diagram showing an example of the 
20 contents of a database of the DB server 119. 

FIGS. 7B and 7C are diagrams showing an example 
of two queries Ql and Q2 , respectively, to the database 
illustrated in FIG. 7A. 

FIG. 7D is a diagram showing an example of a linked 
25 query generated by the query converter 107 in the data 



11 



relay server 100-1. 

FIGS. 7E and 7F are diagrams each showing an 
example of a distributive query generated by the query 
converter 107 in the data relay server 100-1. 
5 FIG. 8 is a flowchart showing the functions of 

an encrypted query pro ductionunit 108 in the data relay 
server 100-1. 

FIG. 9A is a diagram showing an example of the 
contents of a database. 
10 FIG. 9B is a diagram showing an example of a query 

Q3 to the database illustrated in FIG. 9A. 

FIG. 9C is a diagram showing an example of an 
encrypted query obtained from the query Q3 . 

FIG. 10 is a diagram for explaining an encryption 
15 program produced by an encryption program production 
unit 109 in the data relay server 100-1. 

FIG. 11 is a flowchart showing an example of an 
query processing executed by the DB server 119. 

FIG. 12 is a flowchart showing the functions of 
20 a retrieval result processing unit 111 in the data relay 
server 10 0-1 . 

FIG. 13 is a diagram for explaining a conventional 
data retrieval system using an encrypted query. 



25 



DESCRIPTION OF THE PREFERRED EMBODIMENTS 
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A computer network system realizing information' 
providing service of the invention has: at least one 
client computer (hereinbelow , called a client) for 
receiving a data retrieval request or a query from the 
5 user; at leastone server computer (hereinbelow, called 
a DB server) for searching a database for information 
service in accordance with the retrieval request from 
the client; a network for connecting each client to 
a desired DB server; and at least one data relay server 

10 located between the client and the DB server, for 
modifying the retrieval request from the client to 
transfer the modified request to the DB server. 

The basic configuration of the data relay server 
includes: a query analyzing unit for analyzing a query 

15 from the client; an encrypted query production unit 
for encrypting a part of the analyzed query; an 
encryption program production unit for producing an 
encryption program for encrypting specific attribute 
data read out from a database by a DB server; a query 

20 message production unit for producing a query message 
including the encrypted query and, as necessary, to 
which the encryption program is added and transmitting 
the query message to a proper DB server; and a retrieval 
result processing unit for performing, as necessary, 

25 re-search or a process of. combining a plurality of 
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retrieval results on a. retrieval result received from 
the DB server. 

The data relay server may include a query 
converting unit for converting a plurality of queries 
5 output from the query analyzing unit to a linked query 
or converting a single query output from the query 
analyzing unit into a plurality of distributive queries 
to distribute a part of the query to another data relay 
server which cooperates with the data relay server. 

10 The data relay server may have a cache database for 
holding, as a copy, a part of data stored in the database 
in the DB server, and a retrieval executing unit for 
searching the cache database for data in response to 
a query from a client. 

15 The DB server to which the invention is applied 

includes: a database for holding data to be provided 
to the user; a data management and retrieval unit for 
managing the database and accepting a query; and a data 
access unit for reading out data from the database in 

20 accordance with the contents of the query. When a part 
of the retrieval condition indicated by the received 
query is encrypted, the data management and retrieval 
unit supplies an encryption program received from the 
data relay server or an encryption program server to 

25 the data access unit. In this case, the data access 
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unit reads out stored data having the attribute 
corresponding to the encrypted retrieval condition 
while encrypting the data, thereby retrieving the data 
matched with the retrieval condition through the 
5 encrypted data matching. 

FIG. 1 shows a first embodiment of a computer 
network system according to the invention. 

In FIG. 1, client computers 10 (10A and 10B) are 
connected to a data relay server 100-1 via a network 

10 21. The data relay server 10 0-1 is connected to another 
data relay server 100-2 via a network 22. The data 
relay servers 100-1 and 100-2 cooperate with each other 
and are connected to a DB server 119 via a network 23. 
In a manner similar to the data relay server 100-1, 

15 the data relay server 100-2 is connected to a plurality 
of client computers (not shown) . The network 21 may 
be, for example, the Ethernet, a local area network 
(LAN) connected via an optical fiber or FDD I , or a wide 
area network (WAN) including the Internet which 

20 operates at speed lower than an LAN. 

Usually, the user issues a query to a database 
system by using a dedicated program or a browser which 
runs on the client computer 10 and obtains a result 
to the query. Consequently, in the following 

25 description, the client computer 10 will be regarded 
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as the query issuing source and a destination of a final 
result. The client computer 10 may take the form of, 
for example, a personal computer such as Hitachi FLORA 
(TM) of Hitachi Limited, an arbitrary computer system 
5 such as Hitachi 3 5 0 0 Works tation (TM) o f H i t achi L imi te d , 
a portable terminal such as Persona (TM) of Hitachi 
Limited, or a portable telephone having a query 
interface . 

Each of the data relay servers 100-1 and 100-2 
10 to which the client computers are connected and the 
DB server 119 for information providing service may 
be an arbitrary computer system such as Hitachi 3500 
workstation (TM) of Hitachi Limited. Further, a data 
management and retrieval system 124 which operates for 
15 information providing service on the DB server 119 may 
take the form of a general database management system 
(DBMS) such as HiRDB (TM) of Hitachi Limited, Oracle8 
(TM) of Oracle Corporation, or DB 2 (TM) of IBM 
Corporation . 

20 Each of the network 22 connecting the data relay 

servers 100-1 and 100-2 and the network 23 connecting 
the data relay servers and the DB server 119 may be, 
for example, the Ethernet, a local area network (LAN) 
connected via an optical fiber or FDDI, or a wide area 

25 network (WAN) including the Internet which operates 
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at speed lower than an LAN. 

Although the networks 21, 22, and 23 are 
independent of each other in this example, they may 
be a single network. Although two client computers 
5 are connected to the data relay server 100-1 , the number 
of client computers is arbitrary. The number of data 
relay servers connected to the network 22 is also 
arbitrary. In the embodiment, in consideration of a 
case where the client computer cannot have an extra 

10 processing capability due to limitation of storage 
capacity, calculation capability, or battery 
capability like in a small portable terminal , a portable 
telephone, or the like, the data relay server is 
disposed between the client computers and the DB server. 

15 A part or all of the functions of the data relay server, 
which will be described hereinlater, may be provided 
for the client computer. 

In the invention, a query message 103 issued by 
the client 10A (or 10B) is received by the data relay 

20 server 100-1 where a part of retrieval conditions is 
encrypted, and a resultant is transferred as an 
encrypted query 115 to the DB server 119. At this time, 
an encryption program 116 is generatedby the data relay 
server 100-1 as necessary and is transferred with the 

25 encrypted query 115 to the DB server 119. 
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The DB server 119 includes a network interface 
120 connected to the network 23, a data management and 
retrieval system 124, and a database 126. In response 
to the query 115, the DB server 119 performs data 
5 retrieval, and transmits a response message 118 
indicative of a retrieval result to the data relay 
server 100-1. The data relay server 100-1 performs 
a predetermined process on the retrieval result 
indicated by the response message 118, and transmits 

10 the resultant as a retrieval result 104 responding to 
the query 103 to the requester client computer 10A. 

FIG. 2 is a block diagram showing a detailed 
configuration of the data relay server 100-1 and FIG. 
3 shows the contents of the query message 103. 

15 Thequerymessagel03 issuedbytheclient computer 

has a configuration of a data portion including a client 
ID 11, security priority 12, and contents of the query 
13, and predetermined header information determined 
by a communication protocol of the network 21. The 

20 contents of the query 13 includes, for example, data 
attribute (data item name) 13S to be selected from the 
database, a name of a file 13F to be accessed, and 
retrieval conditions 13W. The retrieval conditions 
13W include a plurality of definitions 13w-l to 13w-n 

25 for specifying a data entry to be retrieved, and 
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security indication 13E-1 to 13E-n prepared in 
association with the definitions. 

The query 103 issued by the client computer 10A 
is received by a network interface 101 and analyzed 
5 by a query analyzer 106,. and whether or not a retrieving 
process can be performed with data stored in a cache 
database 128 of the data relay server 100-1 is 
determined. For the analysis and determination, a 
method of using partial replica disclosed in Japanese 

10 Unexamined Patent Application No . 01-109758 (Japanese 
Patent Application No. 11-285164) may be applied. 
When the retrieving process can be performed with the 
data stored in the cache database 128, data adapted 
to the retrieval conditions is retrieved from the cache 

15 database 128 by a retrieval unit 113. The retrieval' 
result is edited in the form of a response message by 
a retrieval result processing unit 111, and the response 
message is transmitted to the requester client computer 
via the network interface 101. When no cache database 

20 exists in the data relay server 100-1, or when it is 
determined that the query cannot be responded with the 
data stored in the cache database, the query message 
103 is sent to a query converter 107. 

The operation of the query converter 107 will be 

25 described by referring to the flowchart of FIG. 6. 
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In the query converter 107, after the query message 
103 is received (step 602) , whether the query is to 
be linked or not is determined (step 603 ) . The linkage 
of queries denotes a process of converting a plurality 
5 of queries into one query by linkage to conceal the 
contents of the queries. Not only queries issued by 
the same client computer but also queries issued by 
different client computers can be also the targets of 
linkage . 

10 It is now assumed that data to be provided by the 

information providing system on the DB server 119 is 
a saving amount of a customer and, as shown in FIG. 
7A, a saving balance table 801 indicating a branch name 
803 in which a bank account is registered and a saving 

15 amount 804 in correspondence with a customer ID 802 
is stored in the database 126. 

Assuming now that a query Ql (805) shown in FIG. 
7B is issued from the client computer 10A, and a query 
Q2 (806) shown in FIG. 7C is issued from the client 

20 computer 10B. In this case, the queries Ql and Q2 are 
linked as follows. For example, as shown by reference 
numeral 807 in FIG. 7D, {customer ID, branch, and saving 
amount} as a sum-set of {customer ID, branch, and saving 
amount} as items (attributes) to be selected of Ql and 

25 {customer ID and saving amount} as items to be selected 
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of Q2 are used as data items to be selected. An OR 
of a retrieval condition {saving amount >= 1,000,000} 
in the query Ql and a retrieval condition {saving amount 
<= 10,000 } in the query Q2 is used as a retrieval 
5 condition. Whether the queries are linked or not is 
determined whether another query message which can be 
linked has been received or not. 

After determining whether the linkage is 
necessary or not, whether query distribution is 

10 necessary or not is determined (steps 604 and 605) . 
The query distribution denotes an operation of dividing 
a single query into a plurality of queries and 
distributive queries are transmitted from the 
plurality of data relay servers cooperating with each 

15 other to the DB server 119 in order to conceal the 
relation between the user who issued the query and the 
contents of the query. 

It is now assumed that a linked query 807 shown 
in FIG. 7D is a query to be distributed, and the data 

20 relay server 100-2 transfers a distributive query 
message to the DB server 119 in cooperation with the 
data relay server 100-1. In this case, the query 807 
is divided into, for example, a distributive query DQ1 
(808) shown in FIG. 7E and a distributive query DQ2 

25 (809) shown in FIG. 7F. The distributive query DQ1 
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is sent from the data relay server 100-1 to the DB server 
119. The distributive query DQ2 is transmitted via 
the data relay server 100-2 to the DB server 119. In 
such a manner, in the retrieval result to the query 
5 807, a record of "Shinjuku" as branch is received as 
a response to the distributive query DQ1 by the data 
relay server 100-1. The other records are received 
by the data relay server 100-2 as a response to the 
distributive query DQ 2 and transferred to the data relay 

10 server 100-1. By dividing one query into a plurality 
of distributive queries , the retrieving conditions and 
the issuer indicated by the query 807 can be concealed 
from the information providing system which operates 
on the DB server 119. 

15 The query as a target of distribution may be a 

query before linkage. Whether the query distribution 
is necessary or not is determined by the security 
priority 12 in the received query message 103. When 
the security priority 12 does not instruct concealment 

20 of the contents of the query, the query distribution 
is not performed. 

In the query converter 107, in the case of 
performing both query linkage and query distribution 
(YES in steps 603 and 604 ) , a linked distributive query 

25 is produced (step 607) . A new entry is registered 
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in a retrieval management table 114 shown in FIG. 5 
(step 610) . After that, the query converting process 
is terminated. In the case where the query linkage 
is performed but distribution is not necessary (NO in 
5 step 604) , a linked query is produced (step 606) , and 
step 610 is executed. In the case where the linkage 
is not performed (NO in step 603) but only distribution 
is performed (YES in step 605) , a distributive query 
is produced (step 608) and step 610 is executed. In 

10 the case where both linkage and distribution are not 
necessary (NO in step 605) , step 610 is executed without 
performing the query conversion. 

In the retrieval management table 114, as shown 
in FIG. 5, a plurality of entries EN-1, EN-2 , . . . 

15 corresponding to query messages received by the data 
relay server 100-1 or query messages to be transmitted 
are registered. Each entry includes client ID 1141, 
contents of an original query 1142, contents of a 
converted query 1143, a type of conversion 1144 

20 indicative of the kind of query conversion, and a 1:1 
conversion flag 1145 indicating whether or not a 
retrieval definition encrypted by an encrypted query 
production unit 108 to be described hereinlater and 
the original retrieval definition have the relation 

25 of 1:1. 
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When two query messages Ml and M2 are linked, the 
same data is entered in the field 1143 in both the entry 
EN-1 corresponding to the message Ml and the entry EN-2 
corresponding to the message M2 . In the case where 
5 the contents of the single query message Ml is divided 
into two messages ml and m2 , the two entries EN-1 and 
EN-2 including the same contents in the field 1142 are 
produced. The message ml is set in the field 1143 of 
the entry EN-1, and the message m2 is set in the field 
10 1143 of the entry EN-2. 

When the distributive query message is received 
from another data relay server 100-2, for example, the 
relation between the client ID included in the received 
message and the address of the transmitter (data relay 
15 server 100-2) included in the header of the received 
message is stored in a transfer message management table 
(not shown) . 

Referring again to FIG. 2, the query processed 
by the query converter 107 is transferred to the 

20 encrypted query production unit 108 and a part of the 
contents of the query is encrypted. In the case where 
an encryption method new to the DB server is used for 
encrypting the contents of the query, an encryption 
program corresponding to the. encryption method is 

25 produced by an encryption program production unit 109 . 
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The encrypted query and the encryption program are 
edited into an encrypted query message destined for 
the DB server 119 shown in FIG.l by a DB query message 
production unit 110. The encrypted query message is 
5 transmitted to the network 23 shown in FIG.l via a 
network interface 112 and received by the DB server 
119 . 

The operation of the encrypted query production 
unit 108 and that of the encryption program production 
10 unit 109 will be described by referring to FIGS. 8, 
9, and 10. 

As shown in FIG. 8 , when a query message is received 
from the query converter 107 (step 402) , the encrypted 
query production unit 108 determines whether or not 

15 a data item to be concealed exists in the query condition 
(step 403 } . The presence or absence of the data item 
to be concealed can be determined by checking the 
security indications 13E-1 to 13E-n each provided for 
a retrieval definition in the query message 103 in FIG. 

20 3 received from the client 10 (10A, 10B) . When there 
is no data item to be concealed, the process of the 
encrypted query production unit 108 is terminated 
without encrypting the query and producing an 
encryption program. When the data item to be concealed 

25 exits , data indicated by the condition definition 13W-i 
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designated by the security indication 13E-i is 
encrypted in accordance with a predetermined 
encryption function f e ( ) , thereby producing an 
encrypted query including the encrypted data and the 
5 encryption function (step 404) . 

For example, it is assumed that the DB server 119 
holds a gene arrangement table 901 shown in FIG. 9A 
in the database 126 , and the encrypted query production 
unit 108 receives a query message Q3 (905) including 

10 an arrangement structure = "atcg" as a retrieval 
condition as shown in FIG. 9B. The arrangement 
structure = "actg" is described in the first condition 
definition 13W-1 in the query message Q3 . If the 
security indication 13E-1 instructs security of the 

15 condition definition 13W-1, the data "atcg" is an item 
to be concealed. 

In this case, in step 404 , the data "atcg" 
designated as the data item to be concealed is encrypted 
with a predetermined encryption function fe() , and, 

20 for example, an encrypted query Q4 (906 ) as shown in 
FIG. 9 C i s p r odu ced . The en c r yp te d qu e r y Q 4 de s i gna te s 
"@2aSzE" as an arrangement structure in the retrieval 
condition, and includes "arrangement structure" added 
as a new data item in a SELECT sentence for designating 

25 data to be fetched, for the following reason. That 



26 



is, when it is not assured that the original data value 
"atcg" and encrypted data value "@2aSzE" have the 1:1 
relation, it is necessary to make re-retrieval on the 
retrieval result received from the DB server by using 
5 the arrangement structure "atcg" as a retrieval 
condition on the data relay server side. 

When the retrieval condition to be concealed 
includes an equal sign condition or a sign of 

inequality , the original data value can be converted 

10 with an arbitrary encryption function. When the 
retrieval condition to be concealed includes a sign 
of inequality such as "<", "<", ">", or ">", it is 
necessary to use an encryption method capable of holding 
the relation of the corresponding sign. 

15 In the case of encrypting the retrieval condition, 

tha-t is, producing an encrypted query, whether it is 
necessary to produce an encryption program or not is 
determined (step 405) . When the data relay server 
100-1 uses an existing encryption program registered 

20 in the encryption program server 129 or when the 
encryption program used in step 404 has already been 
notified to the DB server side, production of the 
encryption program is unnecessary. In this case, 
without producing an encryption program, the routine 

25 advances to step 407. If it is necessary to notify 
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the DB server of the encryption program, in cooperation 
with the encryption program production unit 109, the 
encryption program is produced (step 406) and then step 
407 is executed. In step 407, the presence or absence 
5 of 1:1 conversion, that is, a flag value indicating 
whether original data and encrypted data have the 1:1 
relation or not is recorded in the 1:1 conversion flag 
field 1145 in the retrieval management table 114. 

The encryption program will now be described by 

10 referring to FIG. 10. 

When a data item or attribute to be concealed is 
expressed as Tc, a function used for encryption is 
expressed as fe () , an original data value is indicated 
by vb, and an encrypted data value is described as va , 

15 the conversion of the query condition by encryption 
is schematically expressed as FIG. 10. An encryption 
program produced by the encryption program production 
unit 109 is a program for performing a data converting 
process corresponding to the encryption function fe () , 

20 and is used by a data access unit 125 included in the 
data management and retrieval system (DBMS) 124 in the 
DB server 119. 

When the DBMS 124 has a plug-in interface like 
HiRDB (TM) of Hitachi Limited, the encryption program 

25 may be a program satisfying the above-described 
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interface specification. When the DBMS 124 has an 
engine for executing a programming language, a program 
described in the programming language may be used as 
the encryption program. 
5 Referring again to FIG. 2, the encryption query 

production unit 108 sends the query message obtained 
by encrypting a part of the retrieval condition and, 
as necessary, changing the data item to be obtained 
together with a function identifier (encryption 
"10 program identifier) applied for encryption to the DB 

H query message production unit 110. In the case where 

the retrieval condition is not encrypted, the query 

:L message received from the query converter 107 is sent 

to the DB query message production unit 110. In the 

_ 15 case where the encryption program is produced, the 
encryption program is passed from the encryption 
program production unit 109 to the DB query message 
production unit 110. 

On the basis of data received from the encryption 
20 query pr odu c t i on unit 108, for exampl e as shown in FIG. 
4, the DB query message production unit 110 produces 
the encrypted query message (DB query message) 115 
destined for the DB server 119 including the client 
ID 11, encrypted query contents 14, and applied 
25 encryption function ID 15 in the data portion, and 
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•transmits the produced query to the DB server 119 via 
the network interface 112. When the encryption 
program is produced, the encryption program 16 is added 
to the DB encrypted query message 115. 
5 When the message received from the encrypted query 

production unit 108 has the same client ID as that of 
the immediately preceding reception message, the DB 
query message production unit 110 determines that the 
message is a message for distributive query and 
10 transmits the message to a pre-des ignated cooperative 
server, for example, the data relay server 100-2. 

The query process performed by the DB server 119 
will now be described with reference to FIGS. 1 and 
11 . 

15 In the DB server 119, the DB query message 115 

received by the network interface 120 is analyzed by 
the DBMS 124 (step 502) . When the encryption program 
16 is included in the DB query message, it is set in 
the data access unit 125. 

20 The DBMS 124 checks whether or not data 

corresponding to the encrypted retrieval condition in 
the DB query message 115 exists as encrypted data which 
can be collated with the retrieval condition on the 
DB server 119 side (database 126) (step 505) . When 

25 the encrypted data already exists, the DBMS 124 
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instructs the data access unit 125 to read out the item 
to be concealed indicated by the retrieval condition 
of the DB query message, and executes the data retrieval 
process required by the DB query message by using the 
5 encrypted data (step 506) . 

If no encrypted data exists , the DBMS 124 instructs 
the data access unit 125 to read out data entries by 
designating the item to be concealed and the applied 
encryption function ID 15 indicated by the retrieval 

10 condition of the DB query message. The data access 
unit 125 encrypts the item to be concealed in the data 
read out from the database 126 by the encryption program 
corresponding to the encryption function ID 15, and 
outputs the other data items in a normal data format. 

15 The DBMS 124 checks the data read out from the database 
in accordance with the retrieval condition of the query 
message, and retrieves data records matching the 
retrieval condition while comparing the encrypted data 
of the item to be concealed with the retrieval condition 

20 (step 507) . 

For example, when the query message 115 includes 
the encrypted query Q4 shown in FIG. 9C as the retrieval 
conditions and the encryption program fel() , the DBMS 
124 executes the retrieving process without decrypting 

25 the encrypted data included in the query Q4 . At the 
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time of reading out an arrangement structure 904 from 
the gene arrangement table 901 stored in the database 
126, the data access unit 125 is controlled to output 
the stored data of the arrangement structure in the 
5 encrypted format by the function fel() to retrieve a 
record matching the arrangement structure of "@2aSzE" 
indicated by the retrieval condition. 

The DBMS 208 produces a r e spo ns e me s s age including 
the retrieval result (step 508) , transmits the response 

10 message to the data relay server 100-1 or 100-2 as the 
t r an smi s s ion s ou r ce o f the quer y me s s age 1 1 5 (step 509) , 
and the query process is terminated. The response 
message produced by the DBMS 124 is transferred to the 
network and the data relay server via the network 

15 interface 120 as shown by reference numerals 18 and 
118 in FIG. 1. 

It is alsopossible toproduce the responsemessage 
by automatically encrypting a data item which is not 
encrypted in data items included in the retrieval result 

20 by the DBMS 124. Although the retrieval condition and 
the encryption program are simultaneously transmitted 
by the query message 115 in the embodiment, it is also 
possible to transmit only the retrieval condition and 
a function ID applied to encryption by the query message 

25 115, check whether the encryption program 
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corresponding to the function ID has already held on 
the DB server 119 side or not and, if the necessary 
encryption program is not held, send a request of 
transmission of the encryption program from the DB 
5 server 119 to the transmitter server 100-1 or 100-2 
which is the source of the query message 115. 

The data relay server 100-1 processes the 
retrieval result in the response message received via 
the network interface 112 by the retrieval result 
10 processing unit 111. 

FIG. 12 shows a retrieval result processing 
routine 701 executedby the retrieval result proces s ing 
unit 111. 

The retrieval result processing unit 111 refers 
15 to the transfer message management table on the basis 
of the client ID included in the received response 
message and determines whether the response message 
is a response to the query sent by another cooperative 
server or not (step 702) . If the received response 
20 message is a message replying to the query sent from 
the other cooperative server, the response message is 
transferred to the address of the data relay server 
designated by the transfer message management table 
(step 703) , and the routine is terminated. 
25 When the received response message is a response 
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to the query produced by the data relay server 100-1, 
the retrieval management table 114 shown in FIG. 5 is 
referred to on the basis of the client ID included in 
the received response message, and a check is made to 
5 see whether the encrypted data item is included in the 
retrieval result or not (step 704) . When the encrypted 
data item is included, the encrypted data item is 
decrypted (step 705) . 

Subsequently, by referring to the retrieval 

10 management table 114, a check is made to see whether 
the received response message is a response to the 
linkage query or not (step 706 ) . If the received 
response message is a response to the linkage query, 
re-search is executed by applying the retrieval 

15 condition before the linkage conversion indicated by 
the contents 1142 of the original query in the retrieval 
management table 114 to produce the correct retrieval 
result to the query issued by each client computer (step 
710) . After that, a response message destined for the 

20 requester client computer included in the re-search 
result is produced (step 712) and transmitted to the 
network 21 via the network interface 101 (step 713) . 

When the received response message is not a reply 
to the linkage query, a check is made to see whether 

25 the received response message is a reply to the 
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distributive query or not (step 707) . In the case where 
the received response message is a response to the 
distributive query, whether all responses (retrieval 
results) to the distributive query are completed or 
5 not is checked (step 70 8) . When all the responses are 
completed, in step 710, re-search is executed by 
applying the retrieval condition before the 
distributive conversion indicated by the contents 1142 
of the original query in the retrieval management table 

10 114. When all responses to the distributive query are 
not completed yet, the retrieval result is stored in 
a temporary storage area in the distributive query 
retrieval result prepared on a work memory (step 709) , 
and the routine is terminated. The check in step 708 

15 is made by referring to the temporary storage area in 
the distributive query retrieval result. 

When the determination result in step 707 is NO, 
it means that the retrieval result is a response to 
the query which has not been converted by the query 

20 converter 107. In this case, whether the encryption 
function adapted to the retrieval condition of the query 
is a function for 1:1 conversion or not is determined 
(step 711) . When the encryption function is not for 
the 1:1 conversion, it means that data of two or more 

25 different values becomes data of the same value by the 
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encryption, and a retrieval result obtained by the 
encrypted retrieval condition is-a solution set larger 
than the retrieval result obtained by the retrieval 
. condition which is not encrypted. In this case, 
5 re-search is executed with the original retrieval 
condition indicatedbythe contents 1142 of the original 
query in the retrieval management table 114 on the 
retrieval result notified from the DB server (step 710) , 
thereby producing a correct retrieval result to the 

10 query issued from the client computer. 

In the case where the encryption function is for 
the 1:1 conversion, according to the retrieval result 
notified from the DB server, the response message for 
the requester client computer is produced (step 712) , 

15 and the response message is transmitted to the network 
21 (step 713) . 

As obvious from the foregoing embodiment, 
according to the invention, information providing 
service highly assuring the security of the 

20 confidential condition included in a query of the user 
can be provided. By the invention, the user of each 
client computer can receive the information providing 
service while concealing the conditions desired to be 
protected, and the confidentiality of the user can be 

25 protected from an ill-intentioned manager of a DB 
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s e rve r . 

The data relay server according to the invention 
can be applied to, for example, a query relay service 
method for selectively transferring a query from the 
5 user only to an information providing server capable 
of assuring the security of a confidential condition 
included in the query. The data relay server of the 
invention can be also applied to, for example, 
information service of collecting service charge 
10 information from a plurality of information providing 
servers, paying a counter value for the information 
providing servers, dividing the charging information 
by the clients, and charging each client for the 
s erv ice. 
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